In many parts of the world, including North America, national telephone networks that were once controlled by a relatively small number of large operators have been opened to competition. One result of this open competitive market has been the rapid proliferation of smaller service providers and an associated host of additional network-to-network interconnection requirements. These network interconnections expose the signaling system 7 (SS7) networks of both the pre-existing as well as the new service providers to new risks, despite the fact that network access is still tightly controlled and inter-operating telephone companies sign agreements and follow procedures to preserve the integrity of their networks.
To ensure the stability and integrity of the networks, operators were forced to develop and adopt more aggressive protective measures. For example, the SS7 protocol and signaling point behavior were enhanced with gateway screening (GWS) functions to block data packets from entering an SS7 network if they did not conform to a predefined format and content. This signaling message screening functionality is commonly employed in telephony signaling networks worldwide and is well defined and described in a number of telecommunication industry standard specifications, including GR-246-Core, Telcordia Technologies Specification of Signaling System Number 7, Issue 6, December 2001, and GR-82-Core, Signaling Transfer Point Generic Requirements, Issue 4—December 2000, the disclosures of each of which are incorporated herein by reference in its entirety.
In an STP, gateway screening provides the mechanism for preventing unwanted signaling messages from being allowed into and/or routed through the node. In an SS7 signaling environment, these signaling messages may include ISDN user part (ISUP) messages, telephony user part (TUP) messages, transaction capability application part (TCAP) messages, and mobile application part (MAP) messages. TCAP and MAP messages typically require the services of a signaling connection control part (SCCP) protocol layer and, consequently, are sometimes referred to as SCCP messages. In addition to these user messages, both message transfer part (MTP) and SCCP level subsystem management messages are also commonly transmitted and received through an SS7 signaling network.
By carefully analyzing their network topologies, as well as their interconnections to external networks, a network operator can construct a comprehensive set of GWS rules, which ensure that only signaling messages originated by a known group of signaling points are allowed into the operator's network. Similarly, GWS rule sets can be created which permit only messages associated with certain network services to enter an operator's network. The application of GWS rules, such as those described above, are most useful and primarily intended to prevent unauthorized access to network operator's resources. That is, GWS provides operators with a method for monitoring and enforcing agreements associated with transporting signaling traffic and the accessing of network service resources (e.g., service control points, etc.) by essentially defining a set of all signaling points with which communications are allowed, and/or service types that are supported.
In addition to user messages (e.g., ISUP, TCAP, MAP, etc.), certain types of network management messages require “affected” destination field (MTP network management) or affected point code/subsystem field (SCCP subsystem management) screening. For example, an MTP transfer prohibited (TFP) message received from an adjacent signaling point indicates to network management processes at an STP that the point code specified in the affected destination field of the message is prohibited. Such affected destination GWS rules can ensure that an affected point code or destination field value specified in a received network management message is, in fact, a network address that is known to the receiving node. Without this type of GWS, an interconnecting network could accidentally send a network management message that includes an invalid affected point code or destination field value to a signaling point within an adjacent network.
While such GWS algorithms provide some degree of network security for accidental or non-malicious scenarios, substantial vulnerability to malicious activity continues to exist in signaling networks. A main disadvantage of traditional gateway screening is that it is primarily a reactive method that requires manual intervention to analyze new messages to be screened. To further illustrate this point, consider the network signaling scenario shown in FIG. 1. FIG. 1 includes an exemplary SS7 network, generally indicated by reference numeral 150, which is comprised of a number of network elements including a first service switching point (SSP) 152, a second SSP 154, a third SSP 156, a service control point (SCP) 158, a first STP node 160, a second STP node 162, a third STP node 164, and fourth STP node 166. The four STP nodes are fully interconnected via SS7 signaling linksets (e.g., LS2 and LS3), while each SSP node is connected to at least one of the STP nodes. More particularly, SSP node 156 is coupled to STP 160 via an SS7 signaling linkset LS1. SCP node 158, which is assigned an SS7 point code of 1-1-1, is similarly coupled to STP 164 via an SS7 signaling link.
While existing GWS screening implementations may provide a technique for preventing signaling messages to or from unauthorized point code addresses, existing GWS technology does not provide significant protection from malicious attacks using “authorized” point code addresses. Referring again to FIG. 1, it will be appreciated that if a malicious individual or organization were to gain access to a network signaling point, such as SSP 156, malicious SCCP subsystem management messages could be constructed and communicated to STP 160 via signaling linkset LS1. Such a malicious message might include an SCCP subsystem prohibited (SSP) subsystem management message with a “valid” OPC value equal to that of SSP 156, as well as a “valid” affected point code/SSN value equal to that of SCP node 158 (i.e., APC/SSN=1-1- 1/12). Since the OPC and APC/SSN values in the subsystem management message are both valid addresses, gateway screening on STP 160 would not identify such messages as anomalistic and potentially threatening, even though such a network management message should never be received on LS1. It will be appreciated that under normal circumstances, the SSP message described above should only be received at STP 160 via LS2 or LS3.
SCCP subsystem management processes on STP 160 may subsequently notify other concerned nodes in the network (e.g., SSP 152) that subsystem 12 of SCP node 158 is unavailable. Widespread and coordinated dissemination of such malicious network management messages within a signaling network could potentially disrupt and disable telephone communications on a large scale.
Moreover, other than a check as to whether the affected point code in the subsystem management message is known to the receiving node, there is nothing to prevent an attacker from originating malicious subsystem or network management message from a valid point code and adversely affecting nodes at other locations in the network. Allowing an attacker to bring down network resources in other locations from a single location is undesirable.
Therefore, what is needed is an improved signaling message security technique that is capable of identifying and mitigating malicious network and subsystem messages in a signaling network.